I have been getting hundreds of the WWW IIS Double Decode Error,without any real positives coming out of it. It seems as if Inbox from Excite, MSN, Hotmail, etc generates those errors, and it's a pain in the rear to have to examine each for possible positives. I read the NSDB entry on it, and don't see how they could be detecting this as an alarm. Any comments?
It is possible that there are still unknown benign triggers for this signature. Could you please email me directly a few examples of your logfile entries. By examining the context of the alarm we should be able to tune the signature for a future release. Our first tuning should have eliminated legitimate traffic that was using the double deobfuscation in the arguments of a url. Perhaps people are using this elswhere legitimately. My e-mail is firstname.lastname@example.org.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...